EvilZone
Hacking and Security => Beginner's Corner => : Avengers August 12, 2015, 05:11:53 PM
-
Alright, so I've been spending a lot of time reading and watching videos on hacking and I'm currently about 25% through a penetration testing course designed to work you towards a CEH (which I'd love to have someday, although I plan to be more gray hat) and I'm trying to gain access to my neighbors network by cracking the WPA/WPA2 handshake. I've already captured it and run it through rockyou.txt as well as some hashcat brute-forcing using digits I thought might be in the passcode as they were in the default SSID our ISP gave our neighbors router. My neighbors aren't tech savy and it's pretty safe to say everything is still at default.
Going off of what the same ISP set MY router password as, it is most likely the last 5 sections of the routers internal MAC address. My routers MAC address is in the format of: 11:11:A1:11:11:A1 (where 1 is a number and A is a letter) and the default passcode is 11A11111A1. I have no choice but to hope this is the same format for my neighbor as a 10-digit passcode will be impossible to straight up brute force. I'm currently trying to brute force this format with oclHashcat, but it's supposed to take 6 days, and I'm not sure if this is the format Frontier (my ISP) would even use... I'd love to find out my ISPs password creation policy but I have a hunch it is the internal MAC of the router... internal being NOT the one you'd get from airodump-ng. Is there a way for me to get that internal MAC address without being on my neighbors network?
-
Can you explain a bit more about what you mean by internal MAC ?
-
Alright, so I've been spending a lot of time reading and watching videos on hacking and I'm currently about 25% through a penetration testing course designed to work you towards a CEH (which I'd love to have someday, although I plan to be more gray hat) and I'm trying to gain access to my neighbors network by cracking the WPA/WPA2 handshake. I've already captured it and run it through rockyou.txt as well as some hashcat brute-forcing using digits I thought might be in the passcode as they were in the default SSID our ISP gave our neighbors router. My neighbors aren't tech savy and it's pretty safe to say everything is still at default.
Going off of what the same ISP set MY router password as, it is most likely the last 5 sections of the routers internal MAC address. My routers MAC address is in the format of: 11:11:A1:11:11:A1 (where 1 is a number and A is a letter) and the default passcode is 11A11111A1. I have no choice but to hope this is the same format for my neighbor as a 10-digit passcode will be impossible to straight up brute force. I'm currently trying to brute force this format with oclHashcat, but it's supposed to take 6 days, and I'm not sure if this is the format Frontier (my ISP) would even use... I'd love to find out my ISPs password creation policy but I have a hunch it is the internal MAC of the router... internal being NOT the one you'd get from airodump-ng. Is there a way for me to get that internal MAC address without being on my neighbors network?
Basically no.
Entirely depends on which MAC addr, if it is the AP's MAC , well then yes.
In this case just run airodump and make note of the BSSID.
If it is the(or one of the) ethernet interface(s), which I think is what you mean then no.
-
You can look more into the routers you and your neighbors have. maybe u can generate a custom wordlist off some mac addresses u find .
Also incase it was changed , most people "non tech savy" will change it to something simple like a phone number , address and so on. So you could also generate a wordlist staring with the area code.
-
You can look more into the routers you and your neighbors have. maybe u can generate a custom wordlist off some mac addresses u find .
Also incase it was changed , most people "non tech savy" will change it to something simple like a phone number , address and so on. So you could also generate a wordlist staring with the area code.
I'm not sure what router they have, but I found a few on our ISPs website and being as they just moved in, it's safe to say they're probably using one of the ones on the website guides. How could I go about finding MAC addresses of these routers?
And yes, I'm not talking about the AP MAC, I'm talking about the other one.
-
Alot of times the password is the home phone number.
Create a wordlist for your area code:
seq 5101000000 5109999999 > phone.txt
Where 510 is your area code.
Try that list against your handshake.
-
Ok APs have one Mac address, however all Mac addresses are 10 characters long and are 0-9 and A-F (capitol only) also most ISPs use a 10 character to 15 character default password.
However these are pretty hefty wordlists and without a GPUs help will take forever. Phone numbers with directed area codes will be much better
-
The only way to find the MAC of the actual router is to either physically look at it or get connected to there network..
If you can't crack the handshake then try WPS and other methods.
If you can't do that then just ask to see there router im sure they wont mind :o [size=78%] [/size]
-
Well you can find the vendor based on the BSSID.
You can then check the vendor MAC space, shouldnt be that big.
Might cut a few zeros from that bruteforce time.
-
If you can't do that then just ask to see there router im sure they wont mind :o [size=78%] [/size]
I was also going to say that when all fails, befriend the neighbours and SE them into showing you that nice cool router they have since you also want to buy one or something.
-
I was also going to say that when all fails, befriend the neighbours and SE them into showing you that nice cool router they have since you also want to buy one or something.
Doesn't work when the neighbors like "what's a router" idk I have the one from <insert isp name here>
-
Try a evil twin attack and social engineer them into giving you it. Or you can check if WPS is enabled or not to crack the 8-digit pin the router, which will usually take you 8 hours or so since its only 8-digits you are cracking. Cracking with a dictionary almost always fail.
And, exactly why are you fucking with your neighbors? After your in, you are going to run Armitage and exploit their computers? I don't see the point. I guess you are just testing what you are learning on someone you don't have permission to do it on, and for the "lulz" of course.
-
Try a evil twin attack and social engineer them into giving you it. Or you can check if WPS is enabled or not to crack the 8-digit pin the router, which will usually take you 8 hours or so since its only 8-digits you are cracking. Cracking with a dictionary almost always fail.
And, exactly why are you fucking with your neighbors? After your in, you are going to run Armitage and exploit their computers? I don't see the point. I guess you are just testing what you are learning on someone you don't have permission to do it on, and for the "lulz" of course.
I've never tried an evil twin before, so I'll do some research and whatnot but would I have to go any further than replicating their AP and one way or another bumping them off theirs, make them jump to mine and in doing so force them to re-enter the password that I'd just then have?
And to answer your question: I really am doing it do see if I can gain access to their network. I don't plan on stealing anything or spying, my goal is to just get into the network, and then try to use hydra to hop on the router if I can. Nothing malicious in mind.
Also thanks to everyone with the brute-force suggestions, I'm new here and I appreciate the time taken to respond a TON! ;D
I'll probably try some different brute-force ideas before I go evil twin, the less invasive I can be, the better while I do this.
PS the router is NOT WPS enabled so I can't use any of those suggestions :/
-
Evil Twin will only work if you have some strong antennas. Look into the YAGI
-
Evil Twin will only work if you have some strong antennas. Look into the YAGI
I'm using a TP-LINK WN722N as my wifi card, and my neighbors are literally next door. I have no clue where their router is but if I turn the power all the way up on the card do you think I'd have a chance?
EDIT: Also I looked into the MAC vendor and it's Actiontec, just in case anyone has any experience related to Actiontec routers.
EDIT 2: (Sorry last edit I swear) So I've been looking at the example 10-character passwords on router manuals from Actiontec and ones listed on my ISPs site and I've noticed each 10-character passcode uses an 8-character character set... Now I'm thinking about trying to find some more passwords online, look at the character sets and using the most common characters for a oclhashcat mask...
EDIT 3: (I lied) So I discovered that the only Actiontec router my ISP talks about is the Actiontec MI424WR Rev. I, which by default has a 16-digit passphrase, but it also has WPS, but I know it's not WPS enabled.
-
I use ALFA (blah blah enter some shit here). It's very powerful, and I've had a ton of success in wireless penetration.
I recommend an Evil Twin attack. Here's a simple definition of it, you make a duplicate of the original one and deauthenticates everyone from the original one and broadcasts the fake one (Evil Twin one) so they automatically connect to that one. Then that rogue access point you have your victims on, the options are endless. Redirect them to a security page asking for the WPA/WPA2 password, or ask them for credit card info to log in (lol), etc.
There are many videos on YouTube explaining how to do the attack. Scripts like wifiphisher automates the task for you as well. A nice script, quite handy. Automates setting up iptables, mysql, etc.
-
I use ALFA (blah blah enter some shit here). It's very powerful, and I've had a ton of success in wireless penetration.
I recommend an Evil Twin attack. Here's a simple definition of it, you make a duplicate of the original one and deauthenticates everyone from the original one and broadcasts the fake one (Evil Twin one) so they automatically connect to that one. Then that rogue access point you have your victims on, the options are endless. Redirect them to a security page asking for the WPA/WPA2 password, or ask them for credit card info to log in (lol), etc.
There are many videos on YouTube explaining how to do the attack. Scripts like wifiphisher automates the task for you as well. A nice script, quite handy. Automates setting up iptables, mysql, etc.
Yeah I'm starting to think that may be my only option... especially if the router is the actiontec one I think it is, the password is going to be like 16-digits long as the default. I'll look into the attack and see what I can do... maybe I'll say something along the lines of "A router firmware update has been downloaded. Please enter your wireless password below to authorize installation." if I decide to do it. I'm still on the fence as to whether I really want to chance messing with them this much when I live right next to them...
-
Yeah I'm starting to think that may be my only option... especially if the router is the actiontec one I think it is, the password is going to be like 16-digits long as the default. I'll look into the attack and see what I can do... maybe I'll say something along the lines of "A router firmware update has been downloaded. Please enter your wireless password below to authorize installation." if I decide to do it. I'm still on the fence as to whether I really want to chance messing with them this much when I live right next to them...
There is an MDK3 attack that allows you to deauthenticate them repeatly until they downgrade their encryption standards to WEP. However, this requires social engineering. Like, "Hey Bob, have you had some issues with your internet? I had, but I fixed it by downgrading the encryption to WEP." He responds, "Yes. Can you show me how to fix it?" You say, "Sure!", then just downgrade the encryption and bam! You got access after decrypting the WEP key.
The Evil Twin attack can be difficult to pull as you need to write up a custom HTML file that resembles the router. However, if he's not tech savvy, you might just write up something very basic, he'll most likely fall for it.
Also, if you are willing to try to crack it, try using rainbow tables. Research more on it if you aren't familiar.
Edit: Once your in, and you want data, remember to use SSLSTRIP to decrypt the encryption mechanism of sites using HTTPS, or you wont be able to capture it. Most sites use TLS now, but some are still vulnerable, including Yahoo, MSN, etc. Or use Armitage to break into the devices on the network by automatically having Armitage exploit them for you.
-
There is an MDK3 attack that allows you to deauthenticate them repeatly until they downgrade their encryption standards to WEP. However, this requires social engineering. Like, "Hey Bob, have you had some issues with your internet? I had, but I fixed it by downgrading the encryption to WEP." He responds, "Yes. Can you show me how to fix it?" You say, "Sure!", then just downgrade the encryption and bam! You got access after decrypting the WEP key.
The Evil Twin attack can be difficult to pull as you need to write up a custom HTML file that resembles the router. However, if he's not tech savvy, you might just write up something very basic, he'll most likely fall for it.
Also, if you are willing to try to crack it, try using rainbow tables. Research more on it if you aren't familiar.
Edit: Once your in, and you want data, remember to use SSLSTRIP to decrypt the encryption mechanism of sites using HTTPS, or you wont be able to capture it. Most sites use TLS now, but some are still vulnerable, including Yahoo, MSN, etc. Or use Armitage to break into the devices on the network by automatically having Armitage exploit them for you.
Gotcha, I'll look into all of that ASAP. thanks a ton for all the help man, this noob appreciates it a ton!
-
I know this may sound strange but you can actually drop usb(s) of memory card(s) that contain a backdoor that connects back to your home pc, but you got to port forward your router, wait 4 days and pray they become curious on that storage device (btw you can make it as alluring as possible). By the time you have established an encrypted connection you can work you way up to root privileges and dump their network keys. I have not tried it yet tho 8) 8) gudluck brother
-
Just post the captured handshake .cap file.
Try running Revdk3
https://github.com/0x90/wps-scripts/blob/master/ReVdK3-r2.sh
-
Just post the captured handshake .cap file.
Try running Revdk3
https://github.com/0x90/wps-scripts/blob/master/ReVdK3-r2.sh
Do we need automated scripts to crack a handshake these day's , :'(